CRUD: When to use Create, Replace, Update or Delete in Group Policy Preferences?
I have to admit: I don’t use Group Policy Preferences as much as I probably should. Historically, when I migrate clients from a legacy system such as Windows Server 2003 or 2008 to something newer, I tended to leave well enough alone, so to speak, and just update existing logon scripts, batch files or what have you.
But, while those old methods work great for stuff like mapping network drives or deploying printer connections, they just aren’t as flexible, and do not offer the same level of control (or ease of maintenance) as some of the newer tools. Early on (like a decade ago) when I first started running into clients who were having issues with Group Policy Preferences, I usually just scoffed, and reverted them back to what I knew and was comfortable with.
What a mistake! Once I learned the cause for so many of those issues tended to be poor setup, execution or migration techniques, I started to change my own practices.
One of the areas of confusion that I often run across is IT admins not knowing when to use which setting, and why. To clear it up, here is a quick run-down of CRUD (Create, Replace, Update or Delete). Even Googling this topic and reading in the forums on various answers can be frustrating, to say the least. And I think I can do a little better.
I also think a lot of people who have to do migrations infrequently have this question: “If I am migrating a file share or a printer connection, should I use Create, Replace or Update? Do I need to throw a Delete policy in for the old mappings/connections?” Let me try to answer these concerns now:
Create – You will notice this option comes with a green icon. Green is Good! Right? Green actually indicates that this action is very low impact and low risk–it’s a “safe” move. E.g. If this mapping or connection does not exist, then create it. Otherwise, if it does exist, then do nothing. But if you’re trying to use this during a migration, you might not get the result you want. You might not get your objects to show up, or you could get duplicate objects, depending on the situation. It’s great if you’re deploying brand new objects that have never been in the environment before, but as we will see, Update has the same net result in that case, and it allows you to perform updates to the same object later on. So I almost never use this Create option in practice.
Replace – Unlike it’s friendlier cousin (above), Replace has an angry red icon and will not only create new objects, but destroy old ones, too. No matter what, you are getting this new object. If using this during migrations, for example when shared folders and mapped network drives are moving from an older file server to a newer one, then be sure to switch it to Update after you are done migrating (so that you don’t have the GPO deleting and recreating this object periodically later down the road). Note: if you go to the common tab and choose the option to “Remove this item when it is no longer applied” then the action will automatically be changed to Replace.
Update – A yellow icon, as in: Warning! You might overwrite something. You can update the object with new settings, or create the object if it doesn’t exist. However, you should note: it does not remove or destroy any objects. The example I like to use here is that if I try to Update an existing printer connection to refer to a new server path like changing \\srv-oldprinters\printer to \\srv-newprinters\printer–the result is that I get a new printer (like I wanted) but I keep the old one too (which I didn’t want). I would have had to add a delete option for the old path, since Update cannot delete anything, like Replace can. Remember: If there is no existing object to update, then create the object–but don’t delete any objects, just update them. Because of this behavior, I usually choose this action whenever I’m deploying brand new objects, and just update it later on whenever something minor changes with it. For major changes like migrations to new servers, I would use Replace, since update is much weaker (albeit not as weak as Create). Just be aware that if you use Update in migration scenarios, you may not get the results you want, similar to Create.
Delete – This is exactly what it sounds like: delete the object. Just get rid of it. That’s why this item gets a red x. Appropriate for use when a share or printer has been permanently removed. Oddly enough, and especially with printer connections, I have found that this may not always be effective–especially if the object was put into place by something other than Group Policy preferences, so I often create a logon script to blow those items away anyhow, just as extra protection. If the policy works and the logon script is redundant, still no harm in covering your bases.
An example of a logon script that can destroy connections to network drives and/or network printers (use only when they are permanently offline):
REM The next line deletes the network drive at P:\ net use p: /d REM The next line removes a printer connection at \\srv-printers\printer rundll32 printui.dll,PrintUIEntry /q /dn /n "\\srv-printers\printer"
Comments (25)
Hi Alex, one caveat when using Replace when mapping network drives is that it removes the drive and then recreates it. Policy’s tend to be applied at a random interval when the computer is booted so in result you will lose your network drive for a second every now and then. When you use programs which rely heavily on this network drive letter they can crash. I have seen this on Access databases for example. So best is to put it on update after some days and you’re sure that every old connection is gone.
Yes I should update this article, I usually like Replace only at the time of migration. After cutover has taken place, it can be switched to Update.
Hi Alex,
Nice article. May I ask what are the ‘newer tools’ that you’re referring to?
Cheers,
Anton
Well in this context the GP preferences were “newer” than the old fashioned logon script method. But these days, I suppose the tools are shifting to 365, and device management. I don’t have a lot of content about that. Just some of the MDM capabilities, but more is on its way, especially under the new “Microsoft 365” offering. Stay tuned.
Interestingly, I have been notified that with “create”, when GPO refreshes across site it will recreate i.e. a drive map and then disconnect any programs which are running over the existing drive map, so to keep it on “update”.Although I am not sure this is correct, as what i’ve read (here and other places) states that if the drive map is there, then when the policy is on “create” it will just do nothing to the existing drive.
What are your thoughts on that?
With Replace it will behave as you mention. It will not behave that way on either create or update.
Sometimes I get lucky and find the exact right post I was looking for. Thanks for the clarity on this. Keep up the good work.
Now I am off to “Update” some reg keys!!
Hi Thanks for this article. I have search for a easy explenations of the diffrences and you nailed it.
Thanks alot.
is there a difrence between connection speed refering to a network connection?
Sorry I do not follow the question?
“Note: if you go to the common tab and choose the option to “Remove this item when it is no longer applied” then the action will automatically be changed to Replace.”
Hi. The above note, can you clarify because if you are already choosing the Replace action, why would it goto Replace again after choosing “Remove this item when…”?
The note means that if you had a different action selected, then if you use the option to “remove this item when it is no longer applied” it will automatically get switched to replace.
Hi,
Best choice would be Replace along with another GPO setting:
https://www.thewindowsclub.com/disable-background-processing-registry-policy
Regards.
This was a good post, and I appreciate you taking the time to put it together.
Great post help me put my point across to my org during a migration
Hello! Thank you for sharing. Very useful.
What an excellent explanation, thank you so much! I’ve used the GP Drive Maps during migrations in the past and was never clear on how each was different from the other. Thank you for explaining the nuances.
Hello
when you add a newx share, it have an order number,
how can i change order number after ? (i want to start with an “delete all share”)
thx !
We are trying to change home drives for our users from servers to OneDrive…however during the migration we still want to allow our users “read-only” access to their “old” Home Drive location. We’ve spent a few days wrapping our heads around this and would like your opinion.
Currently: G: is mapped to \\server1\data\home\%username%
Plan to copy over all files/folders of their G: drive to users OneDrive for Bus folder, keeping everything still in old location for about 2 weeks. We then want to remap Drive G: to new location that is same but uses a Read-Only Shared folder permission, such that G: would be mapped to: \\server1\data_RO\home\%username%. How would you perform this and what would the order be in the G: drive mapping preferences policy.
Thanks for your help!
I think what you have laid out would work okay. But here is what I normally do with OneDrive:
I make the users move their own data to OneDrive. That’s right. Why? Because it is the key adoption driver for files in the cloud, and the users have a responsibility to learn the new application. As well, I like to encourage users to do “spring cleaning” and only bring along the data that is actually useful to them. They probably don’t need all the garbage from the old file system. But they are the best people to identify what comes and what goes. This “clean slate” approach I have found to be best.
As regards the source location I tell them to use CUT and paste (not copy) to get the data into OneDrive that they want to keep, but I also set a deadline on this activity, and at the end of the deadline I move the source shares to read-only. That way, they can still refer to it if necessary like an archive, and copy/paste whatever else they need into the cloud.
Then at some future point the old file locations are just removed.
I take a similar approach with relocating data into Teams (it is the job of the Team owners to migrate their own data), and we do it on a similar timeline, where we go through cut/paste phase then move to read-only then eventually it goes dark or we move the archive to another location using migration tools at later time.
I have GPOs using Replace and the application impacts have become clear.
So, we are changing the drive maps to Update.
It seems:
IF conditions in an Update GPO are changed then they will be applied.
But:
What if a GPO is copied? Will the copy be applied?
What if a new GPO with new drive maps to the same letters is linked and the old one unlinked?
I’m trying to figure out when an Update will be applied and when not.
Is simply keeping the GPO name the same enough?
What happens if the name is changed and the settings are also changed. Will the settings be applied with Update? After all, the maps do already exist, eh?
Alex, I’m looking at changing FSMO roles on our DCs. When I do that, I also need to change our NTP time server to the PDCe (Win 2019). I am updating the System Policy to change the parameters. But, I also need to change the registry key that control the AnnounceFlag setting to 0x5 from 0xA (decimal 10). I have that set to “Replace”, and force it 0x5. I know that GPOs update ever 90 minutes +- 30. Should I be setting that to update, so it doesn’t keep changing the setting once it’s set. Or, should I leave as “Replace” to ensure that no matter if someone sets it manually, it will always revert back to 0x5. We also use a WMI filter to affect ONLY the DC that is the PDCe. Your thoughts are appreciated on this. My gut is to leave as “Replace”. Also, just for the record, we only have 22 DCs.
In your explanation of “Update” you use printer mappings. Now you can obviously have more than one printer mapped on a PC but you cannot have more than one G: drive for example. So what happens if you change the path for a drive mapping in an existing GPP that is set to “Update”. Won’t it delete the old drive mapping a create a new one?
Nope. Update isn’t exactly *useless* for drive mapping, but close to it. From what I can tell it will change the Label, and that’s about it. Because the G: drive is already mapped, “Update” can’t delete and recreate it, so nothing happens. (Just like you can’t “edit” a mapped drive yourself, you have to start over.) I think for drive mapping Update is more or less only useful if you tell users to manually disconnect the old drive with a right click, at which point the drive will be created by “Update”. But then…”Create” is essentially the same thing…..so, yeah.
The one thing you could do is the “start with” instead of prescribing a letter, and you’ll end up with 2 maps.
Yes Eric, I agree. For drive mappings “Update” is utterly useless. The main use case for “Update” when it comes to drive mappings, if it actually worked, would be when you wanted to change the UNC path of the mapping, but when you do that, nothing is updated.
The only way to change the UNC path of the mapping is to use replace, which is far from ideal, because of the application crash behavior, mentioned right at the top of the comments, as the drive mapping is deleted and re-created.